Cyber-attacks: An Underestimated Risk Without Borders

The fast-paced development of information and communication’s technology has set the stage for unprecedented growth opportunities but has also created numerous risks. Computer viruses, phishing, attacks by denial of service: the weapons used by cyber-activists and cyber-criminals are as varied as they are dangerous. Often used in money extortion attempts, they affect both individuals and corporations.
 
Cyber-crime displays dizzying statistics (see insert). Switzerland ranks third among the most targeted European countries, behind Germany and the UK, for advanced and targeted cyber-attacks (APT) in the ranking compiled in the FireEye Advanced Threat Report 2013, and seventh in the world.
 
Factors such as digital cloud-based data storage systems, and BYOD (“bring your own device”) offered by an increasing number of employers who allow their employees to use their own equipment at work, further contribute to the vulnerability of companies. Smartphones, tablets, laptops and personal storage devices often suffer from viruses and vulnerabilities. 
 
Employees are often the main cause of security incidents. They unwittingly compromise company data by losing their laptops or being the target of phishing. According to a new study by Norton Company published in 2013, 49% of employees surveyed use their professional equipment for private use, 36% alluded to the lack of regulation in this regard in their companies, and 30% let their children use their work devices, either to play or make purchases. 

Difficult to estimate costs

The very continuity of a company – indeed, its future – is at stake, and the financial impact could be substantial. A first round of spending is usually necessary to determine the cause of the problem, the extent of the damage, and plug the loophole. Depending on the size of the company and its market exposure, communication and public relations spending will also be necessary to preserve the company’s image. 
 
In the event clients’ personal data is leaked, companies may be subject, depending on the country in which they are based, to the obligation to notify the incident to local authorities and individuals concerned, and to do so as quickly as possible. This is the case in almost all US states and many other countries that have similar regulations. European regulations on data protection, which date back to 1995, are in the process of being reformed, with a regulation set to be released soon, applicable not only to established figures within the European Union (EU), but also to those based outside that offer goods or services, whether paid or free of charge, to people residing in the EU. In Switzerland, the Federal Data Protection Act (LPD) requires companies to take security measures adapted to the nature of the data and the risks associated with their processing, knowing that working through a provider or subcontractor does not relieve them of their possible liability in the event of a security breach. 
 
The economic losses resulting from intellectual property theft are particularly complex to evaluate. For technology-based products, the time between crime and production is likely to be measured in years. A car dealer whose cars were stolen knows exactly what he has lost, while on the other hand, a car manufacturer whose design was hijacked may not know until a competitor launches a model similar to his own. As a result, insurers are often reluctant to provide cover against these types of intellectual property infringements.
 
In a constantly changing digital landscape, the recent increase in the frequency and severity of cyber-attacks gives rise to another risk: that directors and officers may themselves be held liable for their failure to act or close loopholes, as was the case with Target, Wyndham, and Home Depot in the United States.
 

Although the market is not yet mature, insurance solutions for “cyber” risks have appeared in the United States and are gaining ground in Europe. Insurers still have difficulty quantifying these risks due to the lack of an audit trail of incidents, the rapid progression of the type and number of cyber-attacks, as well as related financial challenges. 

Overview

Phishing

A hacking method in which an imitation email or the website of a trusted institution (banks, administrations) are used to trick users and elicit sensitive information (e.g. passwords).

DoS

A denial of service (DoS) is when a computer system is shut down.

Cloud

Cloud computing is an infrastructure in which computing power and storage are managed by remote servers to which users connect via a secure internet connection.

Advanced Persistant Threat (APT)

An APT (Advanced Persistent Threat) attack is an attempt to plant spyware on a computing device, remaining unnoticed for the longest possible period.

 
 
 

Limited guarantees in traditional contracts

In some cases, certain “cyber” guarantees are already included in insurance policies taken out by companies which shows the importance of analysing each contract in terms of a “cyber” risk. However, many limitations exist for this type of loss: Property insurance covers tangible goods and compensates for damages resulting from the destruction, degradation, or disappearance of property, but rarely for immaterial damages caused by a computer virus; fraud insurance covers expenses for the reconstruction of data in certain circumstances, with cases of computer abuse being only partially covered;   claims related to privacy protection by an employee could potentially be covered by EPL insurance and Cyber insurance.
 
As prevention is crucial, external service providers, such as digital security experts or legal advisers, are normally offered by insurers.
 
To offer businesses a contract with terms tailored to their profile, in addition to a pricing plan, the insurer needs to have a special understanding of the business’ field, to review the company’s level of dependency on its computer system, and to estimate the maximum duration of a system shutdown that the company can withstand before suffering a significant impact. If the company does not show a willingness to manage risk amounts, the purchase of this insurance may be compromised. As a result, it is important for the company to describe in detail its security policy for its IT systems, as well as the volume, nature, and conditions of the processing and data storage it works with.
 
High-profile attacks, like those suffered by Target and Home Depot, have shown that a cyber-attack could implicate several insurance policies, which raises the issue of insurers’ total liabilities. In addition, system interconnections and cloud-based outsourcing help increase the likelihood of multiple risks. Faced with a risk that affects all sectors and all countries, organisations must be prepared to respond quickly to their customers and to any form of investigation by the authorities, or complaints that could be filed, including against directors. The first few hours following a crisis are decisive, and crisis management exercises are far from clear. Some sectors are more exposed to data hacks, while others will be at greater risk of takeover from remote installations and the interruption of operations, such as the energy and transport sectors.  

A strategic and human problem

For company directors, digital security is a concern that goes beyond purely technological aspects. It is also a strategic and human problem that requires investments. Organisations are not simply attacked by computers, but rather by humans who exploit weaknesses that are both human and technological. Just as the company has obligations regarding health and safety with respect to its employees, it now has the duty to put in place digital hygiene regulations, under the supervision of management. Companies must now be ready to face these types of losses and systematically integrate their crisis management plan.
 
The EU and Switzerland have not yet reached the point where they have criminally charged business leaders following computer attacks, as is beginning to happen in the United States. However, heads of listed European companies with US market exposure are not immune to such lawsuits. And no one knows how the frequency and severity of these attacks will change in the coming years.
 
In the same way that a building is insured against fires, companies should take out “cyber” insurance and their directors should take out Management Liability insurance. The requirements differ from one company to another and from one sector to another. The impact of a customer data hack will not be the same depending on whether the target is a hospital or a packaging manufacturer. The role of the broker is simply to support the company in the process of identifying risks and provide a customised offer. 

Cybercrime in numbers

200,5

The cost of damages caused to companies by cyber-crime in Switzerland in 2014, in millions of Swiss francs, according to the auditing firm KPMG.

+48%

The increase in the number of reported security incidents worldwide in 2014, rising to 42.8 million, the equivalent of an average of 117,339 attacks per day, according to the auditing firm PricewaterhouseCoopers.

2,7

The estimated reported average financial loss from cyber-security incidents worldwide in 2014, a 34% increase over a one-year period, according to PricewaterhouseCoopers.

+61%

The increase in the number of data breaches in 2013 over a one-year period, according to the European Network and Information Security Agency (ENISA).

229

The average time taken to detect an advanced and targeted cyber-attack (APT), in days, according to cyber-security company FireEye.

 

 
Sophie Di Meglio
Special Risks Director - Swiss Risk & Care
Article published in september 2015